Schneier Calls US Stuxnet Cyberattack a 'Destabilizing and Dangerous' Action

alphadogg writes "Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran's uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S. solve geopolitical problems or actually making things worse? Bruce Schneier, whose most recent book is 'Liars and Outliers,' argues the U.S. made a mistake with Stuxnet, and he discusses why it's important for the world to tackle cyber-arms control now."

Nonsense!

[fuzzyfuzzyfungus]

How could contributing to the spread of clever computer-intrusion technologies(both with things like Stuxnet, and with the pernicious habit of doing business with the sort of slimy vulnerability-sellers whose customers want to exploit, not patch, them), possibly be a bad idea for a country whose citizens, businesses, government, and R&D capabilities are overwhelmingly dependent on computerized infrastructure?

That's crazy talk.

Re:Nonsense!

[luis_a_espinal]

The astonishing thing is that anyone in the Obama administration was stupid enough to think that secrecy could be maintained on this indefinitely.

Who says they were thinking that? Trying to keep it under wraps as long as possible (a reasonable strategy from a tactical/strategic POV) does not imply the belief it can be done so indefinitely.

Your sentence makes a nice target against which to launch a tirade, but barring corroborating facts, it is one built on speculation.

Obama's Record

[MyLongNickName]

I voted for Obama based on two things: I hated how George Bush increased deficits recklessly and I hated how the Republican cavalierly meddled in other country's affairs using military might.

I feel like a fool.

Re:Obama's Record

[Mitchell314]

Normally I'd agree with you, but in this case bytes is better than bullets, IMO. If the future of warfare is more about breaking machines and less about killing people, well it is a step up.

Re:Obama's Record

[luis_a_espinal]

So let me get this straight, you thought any US administration was just going to sit by and let Iran gain nuclear capabilities.

Apparently that is his/her line of thinking, and for that, humanity weeps.

I don't understand what in Baal's name these ignoramuses expected when they voted for Obama, that he was going to kumbaya his way to the Ayatollah's hearts, that Bin Laden was going to repent and kill himself out of remorse, that all the jobs that went to China will come back (and with a pay increase to boot), and that all the shit that permeates international reality was going to magically turn into Pandora's bioluminescent flowers and hexapodal bunnies with cute emerald eyes, with Thinkerbell pixie dust poured from over a rainbow in peaceful anarchic harmony?

Uninformed, delutional ideological thinking (be it left or right leaning), that is the stuff nightmares are made of.

I didn't vote for Obama in 2008, but I can't really say he is doing a terrible job, or that he lied. I actually like him more than what the GOP (the party I'm registered for) has to offer, and he has done a decent job considering all current factors.

People who now feel betrayed for voting for him are as stupid as the people who think Obama is the root cause of all evil and that shit will turn to honey once they vote a Repub back into the presidency (specially if he believes Darwin's "On The Origin of Species" is a work of fiction.)

Stupidity of the most grotesque kind permeates both sides of the political spectrum. Such is the ethos of the at-will uneducated simpleton masses.

No this is where the U.S. made a mistake with Iran

[crazyjj]

The U.S. made a mistake with Iran with that stupid "Axis of Evil" speech. I'm still not sure why that speech isn't recognized as one of the biggest diplomatic blunders in recent history. First of all, lumping Iran and North Korea in with Iraq (who Bush planned to invade) served no good purpose. It was basically an open threat to Iran and North Korea that we were going to invade them next. And, not surprisingly, both responded by ramping up their nuclear weapons programs to a feverish pace (since nukes are basically the only way to ensure that the U.S. can't invade).

Iran was actually getting pretty moderate before that speech, even sending open condolences and holding vigils after 9-11, with fairly moderate leadership. After the speech we get Ahmadinejad and and full-on nuke program. Smart move, George.

I Think You Missed the Point

[eldavojohn]

How could contributing to the spread of clever computer-intrusion technologies(both with things like Stuxnet, and with the pernicious habit of doing business with the sort of slimy vulnerability-sellers whose customers want to exploit, not patch, them), possibly be a bad idea for a country whose citizens, businesses, government, and R&D capabilities are overwhelmingly dependent on computerized infrastructure?

I have to disagree with you here. To ensure that your businesses and citizens and government and infrastructure are sound, you should always be investigating modes for attacks and publishing them. My logic is that if the United States Government is able to develop this, then so is China's, Russia's, India's, etc so get it out in the open already. In fact, your claim almost seems to advocate security through obscurity. If you want to ensure that people aren't pilfering data without your knowledge, publish your exploits and what you see as "contributing to the spread of clever computer-intrusion technologies" could just as well be seen as "telling SCADA and other makers to pull their heads out of their asses and fix this." Also, your statements can apply to every single country now, even third world countries are largely dependent on networking hardware to function.

The reason this is a "destabilizing and dangerous" action was because it was effective -- not because the US Government secretly given hackers a bunch of ways to hack every computer ever made. Also, the US kind of lost the "moral high ground" now when someone hacks their nuclear facilities with the intent of disabling our capabilities. Use an effective cyber attack against a nation state that does not have similar capabilities ... "destabilizing and dangerous" is a definition of what you can expect the repercussions to be.

Re:I Think You Missed the Point

[fuzzyfuzzyfungus]

I apologize if I wasn't clear; but my point was that possessing electronic offense and improving electronic defense are directly at odds with one another(and, as you note, we are hardly the only country with a supply of adequately smart geeks.)

If you want to use an attack, you need a vulnerability. If you want to use an attack against a really clueful adversary, you may need a really juicy vulnerability, a set of zero-days(as with Stuxnet) or that nifty code-signing trick with Flame, or the like. This is where the trouble starts:

Your attack people now have a direct interest in keeping certain vulnerabilities unfixed. Since much of the world's software is widely used, and has a reasonably publicly visible update process, there is no viable way to sneak out some kind of 'Important vulnerability fix for Win32 systems in the US only'. Either you keep the bug secret, leaving your own people vulnerable, in the hopes that you can hit the other guy before he discovers the problem, or you protect everyone from that vulnerability by getting it fixed.

Having US 'national security' types researching vulnerabilities is a good thing; but only if they do so with the intent of getting them fixed(US-CERT vulnerability reporting, for instance, makes us stronger.) That is how you 'get it in the open'. Things like Stuxnet and Flame were based on vulnerabilities that were kept in the dark(during which time they could have been used against us) for as long as possible.

It's not that I advocate security through obscurity(quite the opposite, in fact), it's that in order to possess good offensive tools you must, necessarily, have knowledge of vulnerabilities that you are concealing. You had to discover them in order to build your attack system, you have to hide them in order to preserve its effectiveness. That's the problem. Possession of useful offensive capabilities implies that you are condemning everyone, your own people included, to security-by-obscurity.

Re:So, they have found the proof?

[crazyjj]

Would you liked a signed letter from the CIA and NSA directors talking about their top secret program? Because, obviously vetted sources in the most reputable newspaper in the U.S., a Congressional investigation into the leak, a Presidential denial of the leak, etc. aren't enough to convince you. So I'm assuming that we need to get Leon Panetta to come over to your house and read you in on the program.

Re:No this is where the U.S. made a mistake with I

Smart move, George.

Intentional move, with successful outcome. The POTUS needs an outside enemy so the people will forget to debate internal issues.

Re:So, they have found the proof?

[Maximum+Prophet]

A friend of mine was in the Air Force in the '50s, stationed in France. While he was there, several Soviet generals were invited to tour the facilities, and inspect the bombers. My friend stated that if he had disclosed this information, he'd have been hanged, but here they were giving it away.

Of course, this was a controlled release of info, excluding critical operational details. Deterrence only works if the other side thinks that you have better weapons and will use them. So, yes, sometimes you do have to leave a calling card. The thing is, sometimes it looked like the US Government and the Soviet Government were in a conspiracy against their own respective peoples.

Re:Yes, and?

[DesScorp]

And if you see a vulnerability in scum like Kim Barking Mad Teapots North Korea or Ahmadinejad's Iran then we should be doing our best to take them out now whilst we still can.

Which is exactly the mind set that got us into this position. Neither Iran nor North Korea would be such a big problem for us now if we hadn't sponsored a coup in one, and used the other as a proxy during the Cold War.

The way we deal with them today will set the stage for the next 50-100 years. We can keep fucking with them, or we can work on decreasing tensions.

This is absolutely astonishing. We "used" North Korea as a proxy? Really? Crawl out of your political cocoon for a minute, and look at the facts: North Korea is a pariah because it attempted an invasion of South Korea in 1950, supplied and backed by the Soviet Union and Maoist China. The Norks were a proxy, all right, but a proxy used as a weapon against the West and emerging Asian democracies by Stalin and Mao.You DO know this, right? Or are we going to get a conspiracy theory about it? And ever since, they've periodically attacked the South or US forces stationed there. The regime is infamous for kidnapping South Korean citizens for reasons as varied as the need for political prisoners to Kim Jong Il having the hots for a actress he saw in the South. The Norks are as institutionally brutal, corrupt, and totalitarian as any regime in history, and they got that way all on their own. Every time we try to "decrease tensions" with the North... giving them aid, etc... they abuse it, renege on their agreements, and inevitably attack the South in some manner. Did you forget that they sank a ship of the SK Navy a few years ago, literally because they could get away with it? That they just woke up one day and decided to shell South Korea last year?

You can debate the Iranian situation (though I think an Islamist government was inevitable no matter what policy we followed), but to somehow blame us for North Korea is the very height of what Jeanne Kirkpatrick used to call the "Blame America First" syndrome.